USB PCAP Forensics: Graphics Tablet (NSEC CTF 2021 Writeup, Part 2/3)

Exploring the PCAP

Extracting and understanding the data

Thanks, osdev.org
Cyberchef is ❤

Recovering what was written

from PIL import Image

mouse_events = [(0x80, 0x01, 0xfd), (0x80, 0x01, 0xfe), ... (0x80, 0xff, 0xfa)]

# Make the image big because we don't know how long the message is
img = Image.new('RGB', (10000, 10000), color='white')
canvas = img.load()

# Start the cursor in the middle of the canvas
mouse_x = 5000
mouse_y = 5000

for data in mouse_events:
# Get the left mouse button status
left_button_pressed = data[0] & 0b00000001

# Get the mouse movement in x and y
x_offset = int.from_bytes(data[1:2], "big", signed=True)
y_offset = int.from_bytes(data[2:3], "big", signed=True)

mouse_x += x_offset
mouse_y += y_offset

if left_button_pressed:
# These two for loops are to make the pixels thicker
for i in range(5):
for j in range(5):
# Write a black pixel on the canvas
canvas[round(mouse_x) + i, round(mouse_y) + j] = (0, 0, 0)

# Save the image to disk
img.save("final.png")
$$$

--

--

--

Blue team analyst in Quebec, Canada. Passionate about most aspects of cybersecurity, and very curious in general.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Getting into Eurorack module development

Beginner Understanding of Python Object references are passed by value

Bedrock Redstone + (Beta 0.0.1)

Tips and Tricks for Clean and Pythonic Code | Part 2

Serverless or Bust, Part 1: Setting up a Lambda in Serverless

Can’t complete SSH connection after successfully send the Password with Rasbian Buster

Rust Serialization and Deserialization Mini Tutorial

Localizing Your Apps — Things That No One Tells You | Byteout Blog

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Émilio Gonzalez

Émilio Gonzalez

Blue team analyst in Quebec, Canada. Passionate about most aspects of cybersecurity, and very curious in general.

More from Medium

How To Setup XENA Botnet

Pickle Rick — TryHackMe, WriteUp

Previse Writeup — HackTheBox

Detect and Alert on Sentinel